sandbox/win/src/filesystem_policy.h

   1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_SRC_FILESYSTEM_POLICY_H__
   6 #define SANDBOX_SRC_FILESYSTEM_POLICY_H__
   7
   8 #include <string>
   9
  10 #include "base/basictypes.h"
  11 #include "base/strings/string16.h"
  12 #include "sandbox/win/src/crosscall_server.h"
  13 #include "sandbox/win/src/nt_internals.h"
  14 #include "sandbox/win/src/policy_low_level.h"
  15 #include "sandbox/win/src/sandbox_policy.h"
  16
  17 namespace sandbox {
  18
  19 enum EvalResult;
  20
  21 // This class centralizes most of the knowledge related to file system policy
  22 class FileSystemPolicy {
  23  public:
  24   // Creates the required low-level policy rules to evaluate a high-level
  25   // policy rule for File IO, in particular open or create actions.
  26   // 'name' is the file or directory name.
  27   // 'semantics' is the desired semantics for the open or create.
  28   // 'policy' is the policy generator to which the rules are going to be added.
  29   static bool GenerateRules(const wchar_t* name,
  30                             TargetPolicy::Semantics semantics,
  31                             LowLevelPolicy* policy);
  32
  33   // Add basic file system rules.
  34   static bool SetInitialRules(LowLevelPolicy* policy);
  35
  36   // Performs the desired policy action on a create request with an
  37   // API that is compatible with the IPC-received parameters.
  38   // 'client_info' : the target process that is making the request.
  39   // 'eval_result' : The desired policy action to accomplish.
  40   // 'file' : The target file or directory.
  41   static bool CreateFileAction(EvalResult eval_result,
  42                                const ClientInfo& client_info,
  43                                const base::string16 &file,
  44                                uint32 attributes,
  45                                uint32 desired_access,
  46                                uint32 file_attributes,
  47                                uint32 share_access,
  48                                uint32 create_disposition,
  49                                uint32 create_options,
  50                                HANDLE* handle,
  51                                NTSTATUS* nt_status,
  52                                ULONG_PTR* io_information);
  53
  54   // Performs the desired policy action on an open request with an
  55   // API that is compatible with the IPC-received parameters.
  56   // 'client_info' : the target process that is making the request.
  57   // 'eval_result' : The desired policy action to accomplish.
  58   // 'file' : The target file or directory.
  59   static bool OpenFileAction(EvalResult eval_result,
  60                              const ClientInfo& client_info,
  61                              const base::string16 &file,
  62                              uint32 attributes,
  63                              uint32 desired_access,
  64                              uint32 share_access,
  65                              uint32 open_options,
  66                              HANDLE* handle,
  67                              NTSTATUS* nt_status,
  68                              ULONG_PTR* io_information);
  69
  70   // Performs the desired policy action on a query request with an
  71   // API that is compatible with the IPC-received parameters.
  72   static bool QueryAttributesFileAction(EvalResult eval_result,
  73                                         const ClientInfo& client_info,
  74                                         const base::string16 &file,
  75                                         uint32 attributes,
  76                                         FILE_BASIC_INFORMATION* file_info,
  77                                         NTSTATUS* nt_status);
  78
  79   // Performs the desired policy action on a query request with an
  80   // API that is compatible with the IPC-received parameters.
  81   static bool QueryFullAttributesFileAction(
  82       EvalResult eval_result,
  83       const ClientInfo& client_info,
  84       const base::string16 &file,
  85       uint32 attributes,
  86       FILE_NETWORK_OPEN_INFORMATION* file_info,
  87       NTSTATUS* nt_status);
  88
  89   // Performs the desired policy action on a set_info request with an
  90   // API that is compatible with the IPC-received parameters.
  91   static bool SetInformationFileAction(EvalResult eval_result,
  92                                        const ClientInfo& client_info,
  93                                        HANDLE target_file_handle,
  94                                        void* file_info,
  95                                        uint32 length,
  96                                        uint32 info_class,
  97                                        IO_STATUS_BLOCK* io_block,
  98                                        NTSTATUS* nt_status);
  99 };
 100
 101 // Expands the path and check if it's a reparse point. Returns false if
 102 // we cannot determine or if there is an unexpected error. In that case
 103 // the path cannot be trusted.
 104 bool PreProcessName(const base::string16& path, base::string16* new_path);
 105
 106 // Corrects global paths to have a correctly escaped NT prefix at the
 107 // beginning. If the name has no NT prefix (either normal or escaped)
 108 // add the escaped form to the string
 109 base::string16 FixNTPrefixForMatch(const base::string16& name);
 110
 111 }  // namespace sandbox
 112
 113 #endif  // SANDBOX_SRC_FILESYSTEM_POLICY_H__